Internal audit consists of audit, investigation or review work carried out on a voluntary basis by an entity, for its own control purpose. The internal audit work may be carried out by the entity’s own full- time internal audit staff, or by an external accountancy firm.
There is no regulatory or statutory requirement for internal audit; therefore an entity will only carry out internal audit work if it considers the benefits sufficient to justify the cost.
Internal audit functions
Since there are no regulatory requirements for internal audit, the nature of internal audit work can vary substantially between different entities, depending on their size and structure, the nature of their business, the extent of computerization of the entity’s main operational systems, the attitude of senior management to risk management, the nature and scale of the perceived control risks, and so on.
Internal auditing activities will usually include one or more or the following:
- Monitoring of internal control: The establishment of an adequate internal control system is a responsibility of management and is an important aspect of good corporate governance. Because the internal control system needs to be monitored on a continuous basis, large companies are likely to establish an internal audit function to assist management in this role. Internal audit it therefore usually given specific responsibility by management for reviewing internal controls, monitoring their operation and recommending improvements via to the directors.
- Examination of financial and operating information.This may include review of the means used to identify, measure, classify and report such information or specific inquiry into individual items including detailed testing of transactions, balances and procedures.
- Review of the economy, efficiency and effectiveness of operation: This could include a review of non financial controls.
- Review of compliance with laws, regulations and other external requirements and with internal requirements such as management polices and directives.
- Special Investigations into particular areas such as suspected fraud. The majority of these activities will be classed as operational internal audit assignment. However, internal audit could also be asked to perform other assignments such as value for money audits.
- carrying out audits into the adequacy of financial controls in specific areas of the accounting system
- Carrying out audit into the adequacy of operational control in specific areas of the operational systems of the entity
- Auditing the adequacy of controls in the entity’s IT systems
- Reviewing the economy, efficiency and effectiveness of particular operations or activities:these reviews are called value for money (VFM) audits.
- Carrying out checks into compliance with key aspects of legal or regulatory requirements to which the entity is subject. For example a bank may use internal auditors to check compliance by the bank with regulations for the prevention or detection of money laundering. Similarly an oil company may use internal auditors to check into compliance with health and safety regulations at its operating sites.
- Examination and review of financial information produced by the entity.
- Special investigations, such as investigations into suspected cases of fraud within the entity.